The Federal Bureau of Investigation has issued an alert to inform organizations in the United States of the risk associated with the use of Chinese tax software.
In late June, security researchers at Trustwave published a report on a piece of malware that was dropped into the environment of an organization doing businesses in China through tax software that is mandatory in the country.
The threat, which Trustwave named GoldenSpy, was delivered to an organization via software from the Golden Tax Department of Aisino Corporation, and it appears to have been in use since 2016. Once installed, it provides SYSTEM-level backdoor access to the network.
Within days after the initial report was published, an uninstaller was delivered to compromised organizations through the update service of the tax software, and all traces of GoldenSpy were erased.
Weeks later, Trustwave published information on another piece of malware deployed through mandatory tax software onto the networks of organizations doing business in China. Referred to as GoldenHelper and dated prior to GoldenSpy, this malware family was dropped by software from Baiwang.
Last week, the FBI issued an alert to warn healthcare, chemical, and finance organizations in the United States of “potential targeting activity by the Chinese government against their business and operational components based in China.”
The alert points out that tax software provided by Chinese banks to at least two Western organizations doing business in the country would install a backdoor supposedly allowing “cyber actors to preposition to conduct remote code execution and exfiltration activities on the victim’s network.”
The FBI notes that all foreign companies in China might be at risk, and that the US healthcare and chemical industries have long been targeted by Chinese cyber spies.
“Pharmaceutical companies form a critical interdependency between the manufacturing components of the chemical sector and the supply chain of the Healthcare and Public Health Sector. Compromise of the pharmaceutical supply chain provides malicious actors opportunities for theft of US intellectual property, while public disclosure can cause cascading effects including loss of public trust in both chemical and healthcare institutions,” the alert reads.
The FBI underlines that the use of software from Baiwang and Aisino, the only tax software service providers authorized to operate the value added tax (VAT) system in China, represents a risk to US organizations, especially in the light of Trustwave’s discoveries.
The alert also contains indicators of compromise (IoC) and recommendations on how organizations can mitigate such intrusions. The FBI plans on publishing a more detailed technical analysis at a later date.
Related: Researchers Find More Malware Delivered via Chinese Tax Software